|
Packit |
549fdc |
/*
|
|
Packit |
549fdc |
* Copyright (C) 2000-2013 Free Software Foundation, Inc.
|
|
Packit |
549fdc |
* Copyright (C) 2013 Nikos Mavrogiannopoulos
|
|
Packit |
549fdc |
* Copyright (C) 2017 Red Hat, Inc.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* Author: Nikos Mavrogiannopoulos
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This file is part of GnuTLS.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit |
549fdc |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit |
549fdc |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit |
549fdc |
* the License, or (at your option) any later version.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This library is distributed in the hope that it will be useful, but
|
|
Packit |
549fdc |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
549fdc |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
549fdc |
* Lesser General Public License for more details.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit |
549fdc |
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Some high level functions to be used in the record encryption are
|
|
Packit |
549fdc |
* included here.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#include "gnutls_int.h"
|
|
Packit |
549fdc |
#include "errors.h"
|
|
Packit |
549fdc |
#include "cipher.h"
|
|
Packit |
549fdc |
#include "algorithms.h"
|
|
Packit |
549fdc |
#include "hash_int.h"
|
|
Packit |
549fdc |
#include "cipher_int.h"
|
|
Packit |
549fdc |
#include "debug.h"
|
|
Packit |
549fdc |
#include "num.h"
|
|
Packit |
549fdc |
#include "datum.h"
|
|
Packit |
549fdc |
#include "kx.h"
|
|
Packit |
549fdc |
#include "record.h"
|
|
Packit |
549fdc |
#include "constate.h"
|
|
Packit |
549fdc |
#include "mbuffers.h"
|
|
Packit |
549fdc |
#include <state.h>
|
|
Packit |
549fdc |
#include <random.h>
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static int encrypt_packet(gnutls_session_t session,
|
|
Packit |
549fdc |
uint8_t * cipher_data, int cipher_size,
|
|
Packit |
549fdc |
gnutls_datum_t * plain,
|
|
Packit |
549fdc |
size_t min_pad,
|
|
Packit |
549fdc |
content_type_t _type,
|
|
Packit |
549fdc |
record_parameters_st * params);
|
|
Packit |
549fdc |
static int decrypt_packet(gnutls_session_t session,
|
|
Packit |
549fdc |
gnutls_datum_t * ciphertext,
|
|
Packit |
549fdc |
gnutls_datum_t * plain,
|
|
Packit |
549fdc |
uint8_t type,
|
|
Packit |
549fdc |
record_parameters_st * params,
|
|
Packit |
549fdc |
gnutls_uint64 * sequence);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* returns ciphertext which contains the headers too. This also
|
|
Packit |
549fdc |
* calculates the size in the header field.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
int
|
|
Packit |
549fdc |
_gnutls_encrypt(gnutls_session_t session,
|
|
Packit |
549fdc |
const uint8_t * data, size_t data_size,
|
|
Packit |
549fdc |
size_t min_pad,
|
|
Packit |
549fdc |
mbuffer_st * bufel,
|
|
Packit |
549fdc |
content_type_t type, record_parameters_st * params)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
gnutls_datum_t plaintext;
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
plaintext.data = (uint8_t *) data;
|
|
Packit |
549fdc |
plaintext.size = data_size;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
encrypt_packet(session,
|
|
Packit |
549fdc |
_mbuffer_get_udata_ptr(bufel),
|
|
Packit |
549fdc |
_mbuffer_get_udata_size
|
|
Packit |
549fdc |
(bufel), &plaintext, min_pad, type,
|
|
Packit |
549fdc |
params);
|
|
Packit |
549fdc |
if (ret < 0)
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (IS_DTLS(session))
|
|
Packit |
549fdc |
_gnutls_write_uint16(ret,
|
|
Packit |
549fdc |
((uint8_t *)
|
|
Packit |
549fdc |
_mbuffer_get_uhead_ptr(bufel)) + 11);
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
_gnutls_write_uint16(ret,
|
|
Packit |
549fdc |
((uint8_t *)
|
|
Packit |
549fdc |
_mbuffer_get_uhead_ptr(bufel)) + 3);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
_mbuffer_set_udata_size(bufel, ret);
|
|
Packit |
549fdc |
_mbuffer_set_uhead_size(bufel, 0);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return _mbuffer_get_udata_size(bufel);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Decrypts the given data.
|
|
Packit |
549fdc |
* Returns the decrypted data length.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* The output is preallocated with the maximum allowed data size.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
int
|
|
Packit |
549fdc |
_gnutls_decrypt(gnutls_session_t session,
|
|
Packit |
549fdc |
gnutls_datum_t * ciphertext,
|
|
Packit |
549fdc |
gnutls_datum_t * output,
|
|
Packit |
549fdc |
content_type_t type,
|
|
Packit |
549fdc |
record_parameters_st * params, gnutls_uint64 * sequence)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ciphertext->size == 0)
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
decrypt_packet(session, ciphertext,
|
|
Packit |
549fdc |
output, type, params,
|
|
Packit |
549fdc |
sequence);
|
|
Packit |
549fdc |
if (ret < 0)
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return ret;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
inline static int
|
|
Packit |
549fdc |
calc_enc_length_block(gnutls_session_t session,
|
|
Packit |
549fdc |
const version_entry_st * ver,
|
|
Packit |
549fdc |
int data_size,
|
|
Packit |
549fdc |
int hash_size, uint8_t * pad,
|
|
Packit |
549fdc |
unsigned auth_cipher,
|
|
Packit |
549fdc |
uint16_t blocksize,
|
|
Packit |
549fdc |
unsigned etm)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
/* pad is the LH pad the user wants us to add. Besides
|
|
Packit |
549fdc |
* this LH pad, we only add minimal padding
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
unsigned int pre_length = data_size + *pad;
|
|
Packit |
549fdc |
unsigned int length, new_pad;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (etm == 0)
|
|
Packit |
549fdc |
pre_length += hash_size;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
new_pad = (uint8_t) (blocksize - (pre_length % blocksize)) + *pad;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (new_pad > 255)
|
|
Packit |
549fdc |
new_pad -= blocksize;
|
|
Packit |
549fdc |
*pad = new_pad;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
length = data_size + hash_size + *pad;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (_gnutls_version_has_explicit_iv(ver))
|
|
Packit |
549fdc |
length += blocksize; /* for the IV */
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return length;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
inline static int
|
|
Packit |
549fdc |
calc_enc_length_stream(gnutls_session_t session, int data_size,
|
|
Packit |
549fdc |
int hash_size, unsigned auth_cipher,
|
|
Packit |
549fdc |
unsigned exp_iv_size)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
unsigned int length;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
length = data_size + hash_size;
|
|
Packit |
549fdc |
if (auth_cipher)
|
|
Packit |
549fdc |
length += exp_iv_size;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return length;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#define MAX_PREAMBLE_SIZE 16
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* generates the authentication data (data to be hashed only
|
|
Packit |
549fdc |
* and are not to be sent). Returns their size.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
static inline int
|
|
Packit |
549fdc |
make_preamble(uint8_t * uint64_data, uint8_t type, unsigned int length,
|
|
Packit |
549fdc |
const version_entry_st * ver, uint8_t * preamble)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
uint8_t *p = preamble;
|
|
Packit |
549fdc |
uint16_t c_length;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
c_length = _gnutls_conv_uint16(length);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memcpy(p, uint64_data, 8);
|
|
Packit |
549fdc |
p += 8;
|
|
Packit |
549fdc |
*p = type;
|
|
Packit |
549fdc |
p++;
|
|
Packit |
549fdc |
#ifdef ENABLE_SSL3
|
|
Packit |
549fdc |
if (ver->id != GNUTLS_SSL3)
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
{ /* TLS protocols */
|
|
Packit |
549fdc |
*p = ver->major;
|
|
Packit |
549fdc |
p++;
|
|
Packit |
549fdc |
*p = ver->minor;
|
|
Packit |
549fdc |
p++;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
memcpy(p, &c_length, 2);
|
|
Packit |
549fdc |
p += 2;
|
|
Packit |
549fdc |
return p - preamble;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* This is the actual encryption
|
|
Packit |
549fdc |
* Encrypts the given plaintext datum, and puts the result to cipher_data,
|
|
Packit |
549fdc |
* which has cipher_size size.
|
|
Packit |
549fdc |
* return the actual encrypted data length.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
static int
|
|
Packit |
549fdc |
encrypt_packet(gnutls_session_t session,
|
|
Packit |
549fdc |
uint8_t * cipher_data, int cipher_size,
|
|
Packit |
549fdc |
gnutls_datum_t * plain,
|
|
Packit |
549fdc |
size_t min_pad,
|
|
Packit |
549fdc |
content_type_t type,
|
|
Packit |
549fdc |
record_parameters_st * params)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
uint8_t pad;
|
|
Packit |
549fdc |
int length, ret;
|
|
Packit |
549fdc |
uint8_t preamble[MAX_PREAMBLE_SIZE];
|
|
Packit |
549fdc |
int preamble_size;
|
|
Packit |
549fdc |
int tag_size =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_tag_len(¶ms->write.cipher_state);
|
|
Packit |
549fdc |
int blocksize = _gnutls_cipher_get_block_size(params->cipher);
|
|
Packit |
549fdc |
unsigned algo_type = _gnutls_cipher_type(params->cipher);
|
|
Packit |
549fdc |
uint8_t *data_ptr, *full_cipher_ptr;
|
|
Packit |
549fdc |
const version_entry_st *ver = get_version(session);
|
|
Packit |
549fdc |
int explicit_iv = _gnutls_version_has_explicit_iv(ver);
|
|
Packit |
549fdc |
int auth_cipher =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_is_aead(¶ms->write.cipher_state);
|
|
Packit |
549fdc |
uint8_t nonce[MAX_CIPHER_BLOCK_SIZE];
|
|
Packit |
549fdc |
unsigned imp_iv_size = 0, exp_iv_size = 0;
|
|
Packit |
549fdc |
bool etm = 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (unlikely(ver == NULL))
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (algo_type == CIPHER_BLOCK && params->etm != 0)
|
|
Packit |
549fdc |
etm = 1;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
_gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
|
|
Packit |
549fdc |
session, _gnutls_cipher_get_name(params->cipher),
|
|
Packit |
549fdc |
_gnutls_mac_get_name(params->mac),
|
|
Packit |
549fdc |
(unsigned int) params->epoch);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Calculate the encrypted length (padding etc.)
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (algo_type == CIPHER_BLOCK) {
|
|
Packit |
549fdc |
/* Call gnutls_rnd() once. Get data used for the IV
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
ret = gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize);
|
|
Packit |
549fdc |
if (ret < 0)
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
pad = min_pad;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
length =
|
|
Packit |
549fdc |
calc_enc_length_block(session, ver, plain->size,
|
|
Packit |
549fdc |
tag_size, &pad, auth_cipher,
|
|
Packit |
549fdc |
blocksize, etm);
|
|
Packit |
549fdc |
} else { /* AEAD + STREAM */
|
|
Packit |
549fdc |
imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
|
|
Packit |
549fdc |
exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
pad = 0;
|
|
Packit |
549fdc |
length =
|
|
Packit |
549fdc |
calc_enc_length_stream(session, plain->size,
|
|
Packit |
549fdc |
tag_size, auth_cipher,
|
|
Packit |
549fdc |
exp_iv_size);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (length < 0)
|
|
Packit |
549fdc |
return gnutls_assert_val(length);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* copy the encrypted data to cipher_data.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (cipher_size < length)
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
data_ptr = cipher_data;
|
|
Packit |
549fdc |
full_cipher_ptr = data_ptr;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) {
|
|
Packit |
549fdc |
if (algo_type == CIPHER_BLOCK && explicit_iv != 0) {
|
|
Packit |
549fdc |
/* copy the random IV.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
memcpy(data_ptr, nonce, blocksize);
|
|
Packit |
549fdc |
_gnutls_auth_cipher_setiv(¶ms->write.
|
|
Packit |
549fdc |
cipher_state, data_ptr,
|
|
Packit |
549fdc |
blocksize);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/*data_ptr += blocksize;*/
|
|
Packit |
549fdc |
cipher_data += blocksize;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
} else { /* AEAD */
|
|
Packit |
549fdc |
if (params->cipher->xor_nonce == 0) {
|
|
Packit |
549fdc |
/* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (params->write.IV.data == NULL
|
|
Packit |
549fdc |
|| params->write.IV.size !=
|
|
Packit |
549fdc |
imp_iv_size)
|
|
Packit |
549fdc |
return
|
|
Packit |
549fdc |
gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Instead of generating a new nonce on every packet, we use the
|
|
Packit |
549fdc |
* write.sequence_number (It is a MAY on RFC 5288), and safer
|
|
Packit |
549fdc |
* as it will never reuse a value.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
memcpy(nonce, params->write.IV.data,
|
|
Packit |
549fdc |
params->write.IV.size);
|
|
Packit |
549fdc |
memcpy(&nonce[imp_iv_size],
|
|
Packit |
549fdc |
UINT64DATA(params->write.sequence_number),
|
|
Packit |
549fdc |
8);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memcpy(data_ptr, &nonce[imp_iv_size],
|
|
Packit |
549fdc |
exp_iv_size);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/*data_ptr += exp_iv_size;*/
|
|
Packit |
549fdc |
cipher_data += exp_iv_size;
|
|
Packit |
549fdc |
} else { /* XOR nonce with IV */
|
|
Packit |
549fdc |
if (unlikely(params->write.IV.size != 12 || imp_iv_size != 12 || exp_iv_size != 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memset(nonce, 0, 4);
|
|
Packit |
549fdc |
memcpy(&nonce[4],
|
|
Packit |
549fdc |
UINT64DATA(params->write.sequence_number), 8);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memxor(nonce, params->write.IV.data, 12);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (etm)
|
|
Packit |
549fdc |
ret = length-tag_size;
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
ret = plain->size;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
preamble_size =
|
|
Packit |
549fdc |
make_preamble(UINT64DATA(params->write.sequence_number),
|
|
Packit |
549fdc |
type, ret, ver, preamble);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) {
|
|
Packit |
549fdc |
/* add the authenticated data */
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_add_auth(¶ms->write.cipher_state,
|
|
Packit |
549fdc |
preamble, preamble_size);
|
|
Packit |
549fdc |
if (ret < 0)
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (etm && explicit_iv) {
|
|
Packit |
549fdc |
/* In EtM we need to hash the IV as well */
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_add_auth(¶ms->write.cipher_state,
|
|
Packit |
549fdc |
full_cipher_ptr, blocksize);
|
|
Packit |
549fdc |
if (ret < 0)
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Actual encryption.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state,
|
|
Packit |
549fdc |
plain->data,
|
|
Packit |
549fdc |
plain->size, cipher_data,
|
|
Packit |
549fdc |
cipher_size, pad);
|
|
Packit |
549fdc |
if (ret < 0)
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
} else { /* AEAD */
|
|
Packit |
549fdc |
ret = _gnutls_aead_cipher_encrypt(¶ms->write.cipher_state.cipher,
|
|
Packit |
549fdc |
nonce, imp_iv_size + exp_iv_size,
|
|
Packit |
549fdc |
preamble, preamble_size,
|
|
Packit |
549fdc |
tag_size,
|
|
Packit |
549fdc |
plain->data, plain->size,
|
|
Packit |
549fdc |
cipher_data, cipher_size);
|
|
Packit |
549fdc |
if (ret < 0)
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return length;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static void dummy_wait(record_parameters_st * params,
|
|
Packit |
549fdc |
gnutls_datum_t * plaintext, unsigned pad_failed,
|
|
Packit |
549fdc |
unsigned int pad, unsigned total)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
/* this hack is only needed on CBC ciphers */
|
|
Packit |
549fdc |
if (_gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) {
|
|
Packit |
549fdc |
unsigned len;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* force an additional hash compression function evaluation to prevent timing
|
|
Packit |
549fdc |
* attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (pad_failed == 0 && pad > 0) {
|
|
Packit |
549fdc |
len = _gnutls_mac_block_size(params->mac);
|
|
Packit |
549fdc |
if (len > 0) {
|
|
Packit |
549fdc |
/* This is really specific to the current hash functions.
|
|
Packit |
549fdc |
* It should be removed once a protocol fix is in place.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if ((pad + total) % len > len - 9
|
|
Packit |
549fdc |
&& total % len <= len - 9) {
|
|
Packit |
549fdc |
if (len < plaintext->size)
|
|
Packit |
549fdc |
_gnutls_auth_cipher_add_auth
|
|
Packit |
549fdc |
(¶ms->read.
|
|
Packit |
549fdc |
cipher_state,
|
|
Packit |
549fdc |
plaintext->data, len);
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
_gnutls_auth_cipher_add_auth
|
|
Packit |
549fdc |
(¶ms->read.
|
|
Packit |
549fdc |
cipher_state,
|
|
Packit |
549fdc |
plaintext->data,
|
|
Packit |
549fdc |
plaintext->size);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Deciphers the ciphertext packet, and puts the result to plain.
|
|
Packit |
549fdc |
* Returns the actual plaintext packet size.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
static int
|
|
Packit |
549fdc |
decrypt_packet(gnutls_session_t session,
|
|
Packit |
549fdc |
gnutls_datum_t * ciphertext,
|
|
Packit |
549fdc |
gnutls_datum_t * plain,
|
|
Packit |
549fdc |
uint8_t type, record_parameters_st * params,
|
|
Packit |
549fdc |
gnutls_uint64 * sequence)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
uint8_t tag[MAX_HASH_SIZE];
|
|
Packit |
549fdc |
uint8_t nonce[MAX_CIPHER_BLOCK_SIZE];
|
|
Packit |
549fdc |
const uint8_t *tag_ptr = NULL;
|
|
Packit |
549fdc |
unsigned int pad = 0, i;
|
|
Packit |
549fdc |
int length, length_to_decrypt;
|
|
Packit |
549fdc |
uint16_t blocksize;
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
unsigned int tmp_pad_failed = 0;
|
|
Packit |
549fdc |
unsigned int pad_failed = 0;
|
|
Packit |
549fdc |
uint8_t preamble[MAX_PREAMBLE_SIZE];
|
|
Packit |
549fdc |
unsigned int preamble_size = 0;
|
|
Packit |
549fdc |
const version_entry_st *ver = get_version(session);
|
|
Packit |
549fdc |
unsigned int tag_size =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_tag_len(¶ms->read.cipher_state);
|
|
Packit |
549fdc |
unsigned int explicit_iv = _gnutls_version_has_explicit_iv(ver);
|
|
Packit |
549fdc |
unsigned imp_iv_size, exp_iv_size;
|
|
Packit |
549fdc |
unsigned cipher_type = _gnutls_cipher_type(params->cipher);
|
|
Packit |
549fdc |
bool etm = 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (unlikely(ver == NULL))
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
|
|
Packit |
549fdc |
exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher);
|
|
Packit |
549fdc |
blocksize = _gnutls_cipher_get_block_size(params->cipher);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (params->etm !=0 && cipher_type == CIPHER_BLOCK)
|
|
Packit |
549fdc |
etm = 1;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* if EtM mode and not AEAD */
|
|
Packit |
549fdc |
if (etm) {
|
|
Packit |
549fdc |
if (unlikely(ciphertext->size < tag_size))
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
preamble_size = make_preamble(UINT64DATA(*sequence),
|
|
Packit |
549fdc |
type, ciphertext->size-tag_size,
|
|
Packit |
549fdc |
ver, preamble);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = _gnutls_auth_cipher_add_auth(¶ms->read.
|
|
Packit |
549fdc |
cipher_state, preamble,
|
|
Packit |
549fdc |
preamble_size);
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = _gnutls_auth_cipher_add_auth(¶ms->read.
|
|
Packit |
549fdc |
cipher_state,
|
|
Packit |
549fdc |
ciphertext->data,
|
|
Packit |
549fdc |
ciphertext->size-tag_size);
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = _gnutls_auth_cipher_tag(¶ms->read.cipher_state, tag, tag_size);
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (unlikely(gnutls_memcmp(tag, &ciphertext->data[ciphertext->size-tag_size], tag_size) != 0)) {
|
|
Packit |
549fdc |
/* HMAC was not the same. */
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* actual decryption (inplace)
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
switch (cipher_type) {
|
|
Packit |
549fdc |
case CIPHER_AEAD:
|
|
Packit |
549fdc |
/* The way AEAD ciphers are defined in RFC5246, it allows
|
|
Packit |
549fdc |
* only stream ciphers.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (unlikely(_gnutls_auth_cipher_is_aead(¶ms->read.
|
|
Packit |
549fdc |
cipher_state) == 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (unlikely(ciphertext->size < (tag_size + exp_iv_size)))
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (params->cipher->xor_nonce == 0) {
|
|
Packit |
549fdc |
/* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (unlikely
|
|
Packit |
549fdc |
(params->read.IV.data == NULL
|
|
Packit |
549fdc |
|| params->read.IV.size != 4))
|
|
Packit |
549fdc |
return
|
|
Packit |
549fdc |
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memcpy(nonce, params->read.IV.data,
|
|
Packit |
549fdc |
imp_iv_size);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memcpy(&nonce[imp_iv_size],
|
|
Packit |
549fdc |
ciphertext->data, exp_iv_size);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ciphertext->data += exp_iv_size;
|
|
Packit |
549fdc |
ciphertext->size -= exp_iv_size;
|
|
Packit |
549fdc |
} else { /* XOR nonce with IV */
|
|
Packit |
549fdc |
if (unlikely(params->read.IV.size != 12 || imp_iv_size != 12 || exp_iv_size != 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memset(nonce, 0, 4);
|
|
Packit |
549fdc |
memcpy(&nonce[4], UINT64DATA(*sequence), 8);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memxor(nonce, params->read.IV.data, 12);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
length =
|
|
Packit |
549fdc |
ciphertext->size - tag_size;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
length_to_decrypt = ciphertext->size;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Pass the type, version, length and plain through
|
|
Packit |
549fdc |
* MAC.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
preamble_size =
|
|
Packit |
549fdc |
make_preamble(UINT64DATA(*sequence), type,
|
|
Packit |
549fdc |
length, ver, preamble);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (unlikely
|
|
Packit |
549fdc |
((unsigned) length_to_decrypt > plain->size)) {
|
|
Packit |
549fdc |
_gnutls_audit_log(session,
|
|
Packit |
549fdc |
"Received %u bytes, while expecting less than %u\n",
|
|
Packit |
549fdc |
(unsigned int) length_to_decrypt,
|
|
Packit |
549fdc |
(unsigned int) plain->size);
|
|
Packit |
549fdc |
return
|
|
Packit |
549fdc |
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = _gnutls_aead_cipher_decrypt(¶ms->read.cipher_state.cipher,
|
|
Packit |
549fdc |
nonce, exp_iv_size + imp_iv_size,
|
|
Packit |
549fdc |
preamble, preamble_size,
|
|
Packit |
549fdc |
tag_size,
|
|
Packit |
549fdc |
ciphertext->data, length_to_decrypt,
|
|
Packit |
549fdc |
plain->data, plain->size);
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return length;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
case CIPHER_STREAM:
|
|
Packit |
549fdc |
if (unlikely(ciphertext->size < tag_size))
|
|
Packit |
549fdc |
return
|
|
Packit |
549fdc |
gnutls_assert_val
|
|
Packit |
549fdc |
(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
length_to_decrypt = ciphertext->size;
|
|
Packit |
549fdc |
length = ciphertext->size - tag_size;
|
|
Packit |
549fdc |
tag_ptr = plain->data + length;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Pass the type, version, length and plain through
|
|
Packit |
549fdc |
* MAC.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
preamble_size =
|
|
Packit |
549fdc |
make_preamble(UINT64DATA(*sequence), type,
|
|
Packit |
549fdc |
length, ver, preamble);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_add_auth(¶ms->read.
|
|
Packit |
549fdc |
cipher_state, preamble,
|
|
Packit |
549fdc |
preamble_size);
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (unlikely
|
|
Packit |
549fdc |
((unsigned) length_to_decrypt > plain->size)) {
|
|
Packit |
549fdc |
_gnutls_audit_log(session,
|
|
Packit |
549fdc |
"Received %u bytes, while expecting less than %u\n",
|
|
Packit |
549fdc |
(unsigned int) length_to_decrypt,
|
|
Packit |
549fdc |
(unsigned int) plain->size);
|
|
Packit |
549fdc |
return
|
|
Packit |
549fdc |
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_decrypt2(¶ms->read.
|
|
Packit |
549fdc |
cipher_state,
|
|
Packit |
549fdc |
ciphertext->data,
|
|
Packit |
549fdc |
length_to_decrypt,
|
|
Packit |
549fdc |
plain->data,
|
|
Packit |
549fdc |
plain->size);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
case CIPHER_BLOCK:
|
|
Packit |
549fdc |
if (unlikely(ciphertext->size < blocksize))
|
|
Packit |
549fdc |
return
|
|
Packit |
549fdc |
gnutls_assert_val
|
|
Packit |
549fdc |
(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (etm == 0) {
|
|
Packit |
549fdc |
if (unlikely(ciphertext->size % blocksize != 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
if (unlikely((ciphertext->size - tag_size) % blocksize != 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* ignore the IV in TLS 1.1+
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (explicit_iv) {
|
|
Packit |
549fdc |
_gnutls_auth_cipher_setiv(¶ms->read.
|
|
Packit |
549fdc |
cipher_state,
|
|
Packit |
549fdc |
ciphertext->data,
|
|
Packit |
549fdc |
blocksize);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memcpy(nonce, ciphertext->data, blocksize);
|
|
Packit |
549fdc |
ciphertext->size -= blocksize;
|
|
Packit |
549fdc |
ciphertext->data += blocksize;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (unlikely(ciphertext->size < tag_size + 1))
|
|
Packit |
549fdc |
return
|
|
Packit |
549fdc |
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* we don't use the auth_cipher interface here, since
|
|
Packit |
549fdc |
* TLS with block ciphers is impossible to be used under such
|
|
Packit |
549fdc |
* an API. (the length of plaintext is required to calculate
|
|
Packit |
549fdc |
* auth_data, but it is not available before decryption).
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (unlikely(ciphertext->size > plain->size))
|
|
Packit |
549fdc |
return
|
|
Packit |
549fdc |
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (etm == 0) {
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
_gnutls_cipher_decrypt2(¶ms->read.cipher_state.
|
|
Packit |
549fdc |
cipher, ciphertext->data,
|
|
Packit |
549fdc |
ciphertext->size,
|
|
Packit |
549fdc |
plain->data,
|
|
Packit |
549fdc |
plain->size);
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
pad = plain->data[ciphertext->size - 1]; /* pad */
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Check the pading bytes (TLS 1.x).
|
|
Packit |
549fdc |
* Note that we access all 256 bytes of ciphertext for padding check
|
|
Packit |
549fdc |
* because there is a timing channel in that memory access (in certain CPUs).
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
#ifdef ENABLE_SSL3
|
|
Packit |
549fdc |
if (ver->id != GNUTLS_SSL3)
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
for (i = 2; i <= MIN(256, ciphertext->size); i++) {
|
|
Packit |
549fdc |
tmp_pad_failed |=
|
|
Packit |
549fdc |
(plain->
|
|
Packit |
549fdc |
data[ciphertext->size - i] != pad);
|
|
Packit |
549fdc |
pad_failed |=
|
|
Packit |
549fdc |
((i <= (1 + pad)) & (tmp_pad_failed));
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (unlikely
|
|
Packit |
549fdc |
(pad_failed != 0
|
|
Packit |
549fdc |
|| (1 + pad > ((int) ciphertext->size - tag_size)))) {
|
|
Packit |
549fdc |
/* We do not fail here. We check below for the
|
|
Packit |
549fdc |
* the pad_failed. If zero means success.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
pad_failed = 1;
|
|
Packit |
549fdc |
pad = 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
length = ciphertext->size - tag_size - pad - 1;
|
|
Packit |
549fdc |
tag_ptr = &plain->data[length];
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Pass the type, version, length and plain through
|
|
Packit |
549fdc |
* MAC.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
preamble_size =
|
|
Packit |
549fdc |
make_preamble(UINT64DATA(*sequence), type,
|
|
Packit |
549fdc |
length, ver, preamble);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_add_auth(¶ms->read.
|
|
Packit |
549fdc |
cipher_state, preamble,
|
|
Packit |
549fdc |
preamble_size);
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_add_auth(¶ms->read.
|
|
Packit |
549fdc |
cipher_state,
|
|
Packit |
549fdc |
plain->data, length);
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
} else { /* EtM */
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
_gnutls_cipher_decrypt2(¶ms->read.cipher_state.
|
|
Packit |
549fdc |
cipher, ciphertext->data,
|
|
Packit |
549fdc |
ciphertext->size - tag_size,
|
|
Packit |
549fdc |
plain->data,
|
|
Packit |
549fdc |
plain->size);
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
pad = plain->data[ciphertext->size - tag_size - 1]; /* pad */
|
|
Packit |
549fdc |
length = ciphertext->size - tag_size - pad - 1;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (unlikely(length < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
default:
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* STREAM or BLOCK arrive here */
|
|
Packit |
549fdc |
if (etm == 0) {
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
_gnutls_auth_cipher_tag(¶ms->read.cipher_state, tag,
|
|
Packit |
549fdc |
tag_size);
|
|
Packit |
549fdc |
if (unlikely(ret < 0))
|
|
Packit |
549fdc |
return gnutls_assert_val(ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Here there could be a timing leakage in CBC ciphersuites that
|
|
Packit |
549fdc |
* could be exploited if the cost of a successful memcmp is high.
|
|
Packit |
549fdc |
* A constant time memcmp would help there, but it is not easy to maintain
|
|
Packit |
549fdc |
* against compiler optimizations. Currently we rely on the fact that
|
|
Packit |
549fdc |
* a memcmp comparison is negligible over the crypto operations.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (unlikely
|
|
Packit |
549fdc |
(gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
|
|
Packit |
549fdc |
/* HMAC was not the same. */
|
|
Packit |
549fdc |
dummy_wait(params, plain, pad_failed, pad,
|
|
Packit |
549fdc |
length + preamble_size);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return length;
|
|
Packit |
549fdc |
}
|